In yarn.lock file of my application I have "rc" : "1.2.8", but the issue is it has a dependent package "strip-json-comments" which takes very old version of itself.
its latest one is "3.1.0" and it is taking "2.0.1" which leads to security defect in application.
Below is the dependency tree of yarn.lock -
rc@^1.0.1, rc@^1.1.2, rc@^1.1.6, rc@^1.2.8:
version "1.2.8"
resolved "https://registry.yarnpkg.com/rc/-/rc-1.2.8.tgz#cd924bf5200a075b83c188cd6b9e211b7fc0d3ed"
integrity sha512-y3bGgqKj3QBdxLbLkomlohkvsA8gdAiUQlSBJnBhfn+BPxg4bc62d8TcBW15wavDfgexCgccckhcZvywyQYPOw==
dependencies:
deep-extend "^0.6.0"
ini "~1.3.0"
minimist "^1.2.0"
strip-json-comments "~2.0.1"
goatandsheep
commented
3 years ago
In yarn.lock file of my application I have "rc" : "1.2.8", but the issue is it has a dependent package "strip-json-comments" which takes very old version of itself. its latest one is "3.1.0" and it is taking "2.0.1" which leads to security defect in application.
Below is the dependency tree of yarn.lock - rc@^1.0.1, rc@^1.1.2, rc@^1.1.6, rc@^1.2.8: version "1.2.8" resolved "https://registry.yarnpkg.com/rc/-/rc-1.2.8.tgz#cd924bf5200a075b83c188cd6b9e211b7fc0d3ed" integrity sha512-y3bGgqKj3QBdxLbLkomlohkvsA8gdAiUQlSBJnBhfn+BPxg4bc62d8TcBW15wavDfgexCgccckhcZvywyQYPOw== dependencies: deep-extend "^0.6.0" ini "~1.3.0" minimist "^1.2.0" strip-json-comments "~2.0.1"